[148736] in cryptography@c2.net mail archive
Re: [Cryptography] how reliably do audits spot backdoors?
daemon@ATHENA.MIT.EDU (ianG)
Thu Dec 26 13:44:43 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 26 Dec 2013 10:35:40 +0300
From: ianG <iang@iang.org>
To: Phillip Hallam-Baker <hallam@gmail.com>,
"James A. Donald" <jamesd@echeque.com>
In-Reply-To: <CAMm+Lwg8iLVCVCH-OgNQn2TFkNk8TJt0XwYRv5rW0d_1hyQFhg@mail.gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 25/12/13 20:09 PM, Phillip Hallam-Baker wrote:
> But that type of code review is only possible for closed source where
> someone is being paid or in an exceptionally highly motivated open
> source project.
>
> I can't slap the authors of OpenSSL and tell them to document their
> stuff, let alone force a rewrite
Which is the problem. People *talk about open source being safer* but
they have no mechanism to really make it safer, other than (windmill)
"you can make it safer if you just contribute..."
Bug bounties have been tried, but they seem to be inherently blunt tools.
We need some sort of flow of value that rewards the hard slow effort of
code review. Something like a bitcoin mining algorithm, where the proof
of work is the review. Bugcoin?
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
